[keycloak-dev] default roles changes
Marek Posolda
mposolda at redhat.com
Wed Nov 6 09:30:30 EST 2013
On 6.11.2013 14:25, Bill Burke wrote:
> I don't see how composite roles have anything to do with this. While
> populating the token, a role in a role mapping should be checked to see
> if it is composite, then expanded into the token.
>
> Again, Stian's implementation is just incorrect. How does one revoke a
> default role for a user if every token is populated with it? For
> example, lets say when a person registers they get a 30 day trial period
> to view premium content. They register, get the "premium" role, but in
> 30 days, this "premium" role is revoked.
I don't know the details TBH. Maybe it's just temporary impl until
composite roles will be properly implemented and supported in model.
Your use-case is valid and should be supported, on the other hand, let's
say you have default realm roles "foo", "bar" . Then you create 1000
users. Then you decide that role "foo" shouldn't be default realmRole
anymore. With mapping of default roles to users (and without composite
roles), you will need to revoke "foo" role from every of those 1000
users... It should be possible to handle this with composite roles, but
they are not actually supported AFAIK?
IMO would be better to wait for Stian before removing stuff.
Marek
More information about the keycloak-dev
mailing list